We recently made a temporary role change for one of our end user. The user's manager approved the change subject to switching on the ST01 trace for as long as the new role is active - which is for a month. This is for audit records.
My question is - how long can ST01 trace be activated on a single user? Is a month normal or too long? And will the trace be good enough?
As per my understanding, you need to put on the trace for the user in SM19 audit log. ST01 trace will only record the transaction executions, and will not help you to easily identify the login/logout information of the user, and the transactions executed. You can view the audit logs further in SM20.
If your intention is to identify the various authorization objects/values that user key-in while executing the tcodes, then ST01 should be the pick. However, there is no defined period for enabling the ST01 trace, and is purely depended on your requirement. The only care that you should take is to backup the ST01 logs periodically, since they grow very fast (also depends on the tasks that the user performs).
I recommend you to look at the requirements before choosing/enabling the right trace
Hope this clarifies.
Thanks Raghu for your detailed answer.
I have confirmed that ST01 is the trace that is needed, Probably I will have to take daily backups of the log. A related question is - if my ST01 trace is switched on for this user for an extended period on that app server, can I run a ST01 trace on a different user on the same server? Will this affect my earlier trace.
A related question is - if my ST01 trace is switched on for this user for an extended period on that app server, can I run a ST01 trace on a different user on the same server?
Will this affect my earlier trace.
That is why you should use ST01 and related tools in development and test systems (only) and plan the changes as much and early as possible.
ST01 in PROD is usefull but mostly a symptom of requirements which were previouosly not known.
Delta roles or temporary roles are very usefull here, but you need to watch the org. levels.
Which objects and field values are the problem here? ST01 might not be the best option here (e.g. restarting the server will reset the trace...)
Please provide more details about the requirement. There are also other tools in SAP which might better match them.
This customer I am currently supporting uses ST01 trace log files indirectly, just to monitor users' activity in PROD who are assigned temporary roles. Typically If the duration of this temporary roles assignment is less than an hour or so, we always assign roles, switch trace on, user completes task, the trace is switched off and we send the trace files to the end user's Manager.
In this particular case, since the end user will be using the temporary roles for a month, I was not sure about turning trace on for a month. Are there better options?
Remember. The only problem is, the other users who have access to ST01 may put off the trace, in which case the trace will be deactivated. But it will not delete the trace which was logged already. Also, if it is required to enable trace for other users, it is not possible as mentioned by Julius, which may cause some inconvenience to the Security guys, since they may need it to analyze on the required objects while creating the roles.
Hope it is clear!